An Elasticsearch database holding 42 million records of
Iranian Telegram users was found on the web, for anyone to access. The private
data included phone numbers and user names, and it’s unclear how long it was
exposed.
Despite heavy restrictions targeting the Telegram app in
Iran, it remains one of the most-used communication platforms in the country.
Its end-to-end encryption technology allows users to talk among themselves
without anyone snooping on the conversation.
The fact that Telegram is open source is a problem, in this
situation, because a number of forks have appeared in Iran, and some people
choose to install those instead of the official app. These forks are not as
secure, and the data they collect could end up the wrong place, which is
exactly what happened in this case.
The database was found by Comparitech and security
researcher Bob Diachenko. Telegram confirmed
that the data comes from third-party forks of their apps.
“We can confirm that the data seems to have originated from
third-party forks extracting user contacts,” the company said. “Unfortunately,
despite our warnings, people in Iran are still using unverified apps. Telegram
apps are open source, so it’s important to use our official apps that support
verifiable builds.”
It took 11 days for the database to be taken down, but the
researchers say the data was accessed by other parties, including a hacker who
reported the information to a specialized forum.
The database contained account IDs, usernames, phone
numbers, and hashes and secret keys. The good news is the hashes and keys can
only be accessed from inside the account of the user they belong to. It’s also
unclear what entities control the Telegram forks in Iran, and whether they are
private or state-owned.